… Revised Bill criminalises cybercrimes …

posted 5 Aug… A new Bill designed to give powers to the State Security, Defence, Police and Telecommunications Ministers to intervene in many aspects of South Africa’s key economic, financial and labour environments and zeroing in on cybercrimes and related offences, is in debate. It also calls upon the financial sector to assist in tracking down fraudsters.

Offences include the circulation of messages that aim at economic harm to persons or entities; that contain pornography or could cause mental or psychological stress; the Bill calls upon the private financial and communications sector and, more specifically, electronic service providers to assist with its objectives. The Bill will also change much in the way how government and SOEs go about their business to reflect the current call for electronic security.

The revised Bill is re-write of that originally tabled in 2015 and rejected as too convoluted and wide ranging on issues that could cause unintended consequences.

Badly needed

Despite placing considerable onus upon the private sector to assist, the IT industry seems to be guardedly welcoming the debate which is about to commence. The original and rejected Cybercrimes and Cybersecurity Bill was tabled in Parliament last February.

The main comment circulating seems to be that this later version is more specific than its earlier counterpart, provides more clarity and has less weight placed upon tedious operational management factors in state structures designed to fight cybercrime.

The Bill is the product of the Department of Justice and Constitutional Affairs (DoJ) and from what has been said, Deputy Minister John Jeffreys seems to be the state official still running with the legislation. He said at a media briefing some months ago, “This Bill will give the State the tools to halt cybercrimes and trained teams to bring to book those who use data as a tool for their crime.”

Not meant

Originally, when the Bill was tabled in 2015 it caused a storm of controversy. Whilst its objectives to catch criminals and stop the growing invasion institutional attacks were understood, unintended consequences for the media were not foreseen. The new Bill acknowledges that journalists and whistle-blowers have protection under the Protected Disclosures Act.

However, the somewhat draconian powers of seizure of data granted to the authorities will still no doubt worry many service providers insofar as interlocking the proposals into the Protection of Personal Information (POPI) Act and the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) are concerned, it has been suggested in hearings.

However, the Minister and other ministerial portfolios concerned, appear to have weighted their decision upon the growing threat of international cybercrime and have continued to call for service providers to assist with the issue caused by a late start.

SA under limelight

Some IT forensic reports indicate that sub-Saharan Africa has the third highest exposure to incidents of cyber fraud in the world and according to those who published this fact, they also claim that incidences of cybercrimes and cybersecurity breaches are escalating globally at 64%, with more security incidents reported in 2015 than 2014 for South Africa.

South Africa is known to be a specific target for cybercrime involving unlawful acquisition of sensitive data relating to clients and/or business operations due to a very high reliance on internet connections by commerce. Large data storage packages proliferate in SA, it is suggested, ranging from the JSE to the banking sector.

ATMs, bank transfers

In the case again of South Africa as part of sub-Sahara Africa, wire transfer fraud accounts for 26 percent of cybercrimes, far ahead of the global average of 14 percent, South Africans being defrauded of more than R2.2bn each year it is estimated.

Banking and financial institutions in South Africa, it is noted in the preamble to the Bill, are particularly exposed, the Reserve Bank having stated back in 2016, “It would be remiss of us in our duty if we ignored the growing risks emerging from the financial services sector’s increasing reliance on cyberspace and the Internet.”

It criminalises malicious communications – namely messages that result in harm to person or property, such as revenge porn or cyber bullying. The police are given extensive investigation, search and seizure powers in the Bill and an array of penalties, including fines and imprisonment apply, including various prescribed in terms of the Criminal Procedure Act, 1977.

No FICA-type warrants.

It is notable that cyber-crime powers of search and arrest remain with SAPS and not any specific structure or system set up by the new Bill to monitor instances of cybercrime or detect suspicious data attacks.

There remain, however, quite onerous obligations on electronic communications service providers and financial institutions, not only to assist in investigations of cybercrimes but also to report instances of cybercrime. A “framework of mutual co-operation between foreign states” is established in respect international investigation and the prosecution of cybercrime.

Crime fighting structures

The Cybercrimes and Cybersecurity Bill also establishes a Computer Security Incident Response Team, as did its predecessor, to establish contact with the private sector alongside with the already functional Cyber Security Hub responsible to the Minister of Telecommunications and Postal Service.

Finally, on structures, the Minister of Defence is to establish and operate a Cyber Command and appoint a General Officer Commanding.

The Bill also provides for the declaration of what is termed as “critical information infrastructure possessed” by financial institutions – for example databases upon which an attack could possibly represent a national threat. Debate will no doubt flow around who and who not should report and upon what exactly.

The crimes defined

For the technically minded, the Bill In terms of the Bill, the following activities are criminalised: unlawful securing of access to data, a computer programme, a computer data storage medium or a computer system; unlawful acquisition of data; unlawful acts in respect of software or hardware tools; unlawful interference with data or a computer programme; unlawful interference with a computer data storage medium or computer system; unlawful acquisition, possession, provision, receipt or use of password, access codes or similar data or devices.

Also included are cyber fraud; cyber forgery and uttering; cyber extortion and certain aggravating offences; attempting, conspiring, aiding, abetting, inducing, inciting, instigating, instructing, commanding or procuring to commit an offence; theft of incorporeal properties; unlawful broadcast or distribution of data messages which incites damage to property or violence; unlawful broadcast or distribution of data messages which is harmful; unlawful broadcast or distribution of data messages of intimate image without consent.

The Bill imposes a list of penalties and allows for imprisonment for up to 15 years for cybercrimes and the maximum fine that may be levied for failing to timeously report an incident or failing to preserve information is now capped at R50,000, far less than the extraordinarily high penalties for non-disclosure levied in the initial version of the Bill.

Necessary actions

The search and seizure powers granted in terms of the new Bill “do not represent increasing the state’s surveillance powers”, Deputy Minister, John Jeffries said, “But if the State cannot seize evidential material to adduce as evidence, it will be impossible to prove the guilt of an accused person.”

Any hearings will obviously focus mainly upon the onuses and impositions imposed in the Bill upon electronic communications service providers and financial institutions, known by an acronym in the Bill as “ECSPs”. A date for further parliamentary briefings by DoJ has yet to be scheduled.Previous articles on category subjectCybercrime and Cybersecurity Bill invokes suspicion – ParlyReportSADraft Cybercrime Bill drafts industry – ParlyReportSALack of skills hampering broadband rollout – ParlyReportSA

Cybercrime Bill stated as invasive

…sent to clients 28 Jan… A new law to assist in enforcing South Africa’s fight against cybercrime, hacking and unlawful interception of data is about to be tabled in Parliament. As expected, the proposals are not without considerable misgivings in the private sector and involve claims that the state may have designs upon the control of free speech and/or are intent upon the control or manipulation of cyberspace.

The draft Cybercrime and Cybersecurity Bill (C&C Bill) has now been approved by Cabinet, the draft having been published for comment as far back as September 2015. Industry players are deeply involved and the next platform for their involvement moves to the actual wording of the document that will form the basis for regulations.

Agents for the state

The legislation states that the proposals are designed to give powers to the State Security, Defence, Police and Telecommunications Ministers, which powers will not only extend into many aspects of South Africa’s key economic, financial and labour environments but will impose responsibilities on service providers.

The Bill clearly states it will call upon the private sector for compliance into order to meet its objectives and will also change the way the public service goes about its business to reflect the call for security. Cross hairs are to zero in on the criminalisation of cyber-facilitated offenses including circulation of messages aimed at economic harm, contain pornography or could cause mental or psychological harm.

Parliamentary stage

The next stage of public sector involvement will be extensive parliamentary hearings, no doubt involving joint portfolio committees, to cover the many aspects involved. Also to allow for further submissions on deep concerns in the private sector regarding compliance and intrusion of free speech rights.

The long and quite complicated process of drafting such legislation has been undertaken by the Department of Justice and Constitutional Development. It is stated that the proposals are of an umbrella approach towards legislation already in the ambit of the new Bill, the objective of which is to extend any new regulations over a wide range of business endeavours and activities “in the public interest”.

Long history

The process started at a point in the cybercrime history log which seems a century ago. A government gazette articulated what was necessary. “I, Mbangiseni David Mahlobo, Minister of State Security, hereby publish the National Cybersecurity Policy Framework as approved by Cabinet in March 2012 for public information.”

The long journey has finally resulted in a 130-page draft which firstly creates offences, prescribes penalties and regulates for powers to investigate, gain access, search and seize items. It gives such powers to the South African Police Service (SAPS) and the State Security Agency (SSA).

Future structures

The Bill then proposes that structurally the Minister of Police establish both a National Cybercrime Centre and appoint a director in charge – a person currently serving with the SSA – and similarly appoint such a director in charge for a “point of contact centre” for cybercrime activity, outreach and contact.

Monitoring all structures will be a Cyber Response Committee (CRC) made up of 13 experienced persons chaired by the DG, Dept. of State Security.

Any interventions at this level will be, by nature of the vastly changing business environment and the global challenge of the subject matter of the Bill, “which will form the critical point of balance between the forces of state control and public endeavour”.

Ground troops

Initially, the Minister of State Security is to appoint a director in charge of a proposed Cyber Security Centre, such person also serving with SSA and for the Minister to establish Government Security Incident Response teams, also appointing a person from the State Security Agency as the head of each specialised investigating team.

Finally, on structures, the Minister of Defence is to establish and operate a Cyber Command and appoint a General Officer Commanding.

Furthermore, provision in the Bill is made for the Minister of Telecommunications and Postal Services to establish and operate a Cyber Security Hub and appoint a director of same. It is in this area that assumedly the main interface between private and public sectors will take place.

Key points

An example of a database to be protected is given in the Bill as the Home Affairs database and the mandate for dealing with cybercrime clearly includes the fact that foreign states and South Africa will be co-operating to investigate possible offences.

Also, powers are granted to the President who may enter agreements with foreign states to promote cybersecurity. The proposals make it quite clear that international crime fighting and the local protection of cyberspace are to be woven together. This will involve changes to the anchor Electronic Communications and Transactions Act, particularly where the Act deals with attempts to deal with abuse of information systems.

The nitty gritty

Where the C&C Bill ventures into the private sector there will no doubt be, and certainly has been to date, plenty of debate. The Bill as proposed, broadly and perhaps too grandly, allows for the imposition of obligations on electronic communications service providers (ECSPs) and financial institutions in respect of aspects “which may impact on cybersecurity”.

The difference between obligations and compliance seems a fine line but already the Dept. of Telecommunications has set up a website on https://www.cybersecurityhub.gov.za/ to try and clarify issues.

At what point?

The general obligations of ECSPs are a set out in the draft bill but an obligation is proposed that as soon as a ECSP “becomes aware of an offence being committed on its network”, the matter must be declared to the National Cybercrime Centre.

The offences are enumerated in the Bill but it is possible that clarity is required, according to stakeholders who have voiced opinions so far, as to who decides at and at what level the retention of a suspicion becomes an offence or to restate the problem, at what point does a suspicion become a reportable fact.

Extensive powers

Most focus on the fact that the Bill’s clause 58 gives the State Security Minister powers to determine what should be included in a “national critical information infrastructure”.

The Bill goes on to state that should it “appear” to the Minister that any information presented is of such “strategic nature” that any interferences, loss, damage, immobilisation or disruption which may result in prejudice to the “security, defence, law enforcement or international relations of South Africa; or prejudice the health and safety of the public; interfere or disrupt any essential service’, then the Minister may implement the powers granted by the Bill.

The “Apple” problem

Broadly speaking, also included is any malevolent act which “causes any major economic loss, destabilises the economy of South Africa or creates any form of public emergency’’ with the proviso that the organisation must “at its own cost take steps to the satisfaction of the Cabinet minister” to comply with a state request.

Any “affected organisation may be given the right to be afforded an opportunity to make representation” but, to repeat, players in the industry note that a great amount of responsibility has been delegated without clear definitions of what is reportable.

The background

The seriousness of the Bill and the recognition that cybercrime must be dealt with firmly is measured by the background given to the Bill. It is estimated that cyber-related offences currently exceed a value of more than R1bn annually. This is escalating at speed, the Department of Justice states.

In general terms, one of the tasks of the Cybercrime Centre is stated in the revised draft as informing all of cybercrime trends and creating an environment which enables parties to report cybercrime without being suspected of whistle-blowing with the accompanying commercial disadvantages.

In other words, the fear with the original draft expressed by the Right2Know campaign that the draconian powers of seizure worried many in the IT industry and that lack of protection for whistle blowers was out of kilter with free speech requirements, may have to some extent been responded to.

Heavy hand of the law

Still, fines of up to R10m and/or 10 years’ imprisonment are involved following a guilty verdict for unlawfully accessing or intercepting “a national critical information infrastructure” involving “critical data”, which makes for a tricky scenario for ECSPs handling traffic and journalists handling information.

This is in the light that an ECSP could be liable on conviction to a fine of R10 000 for each day on which such failure to comply with disclosure requirements continues, it was noted. To be specific, some fifty offences are detailed in the areas of data, messages, computers, and networks.

This is serious talk. Whilst national cybersecurity needs are recognised as paramount, as the latest draft explains, the extent of state powers in the hands of uncontrolled and misdirected state effort gives concern to many in the ECSP business community, particularly in the light of the public nature of the internet.

No warrantless searches

On the other hand, whilst the C&C Bill gives SAPS and SSA extensive powers to investigate, search, access and seize assets wherever they might be located, the search powers granted are not emanating from the proposed Bill.

Search powers are only possible provided the search entity has a search warrant granted in the normal way, the department says. SSA will be purely looking, they say, for data that has a feature of malevolence and commits crime in terms of the need to protect the State and its citizens.

At a briefing for the media, the Justice and Constitutional Development Department in Pretoria Deputy Minister of Justice and Constitutional Development, John Jeffery, gave a further assurance that what is about to arrive in Cape Town “will not give any powers to the State Security Agency (SSA) to control the internet or spy on local users”.

Criminal data

The search and seizure powers granted in terms of the latest draft of the C&C Bill around the interception of data “do not represent increasing the state’s surveillance powers”, the Minister said.

“As part of the final draft of the bill, it says that to prove an offence in a court of law, data must be seized as evidential material. If the State cannot seize evidential material to adduce as evidence, it is impossible to prove the guilt of an accused person. “

The criminal procedure act is currently used to investigate cybercrimes, Minister Jeffery said, and to this end the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) “are already in the tool box”.

Anchor still RICA

The C&C Bill is merely extending the RICA from that aspect, he said, which already has basic general principles in place to protect persons against unlawful interception of communications. “There is thus no extension of the so-called ‘surveillance powers’ of the State”, he added.

He confirmed that previous versions of the Bill, whilst stating a person who fell foul on the issue of state information that was classified as secret could go to jail for 10 years without the possibility of a fine, now, the final draft of the Bill acknowledges that journalists and whistle-blowers have protection under the Protected Disclosures Act.

Minister Jeffrey said was satisfied that the C&C Bill, now headed towards its final shape, gives the State the tools to halt crime and bring those who used data as a tool of crime to book.

Defining data

He concluded, “Data is merely a means to commit offences such as fraud, damage of programmes and computer systems, extortion, forgery and uttering. It can also be used to commit murder by remotely switching of a respiratory system or terrorism by overloading the centrifuges of a nuclear station or remotely opening the sluices of a dam which causes large scale flooding.”

Much of what will come up in the parliamentary hearings of submissions will most likely involve the space occupied by the ECSPs and their responsibilities as perceived by the State. Furthermore, the role to be played by any business institution using large amounts of data needs to be clarified as far as areas of compliance are concerned.

Justice dept to combat cybercrime…..

A draft Cybercrimes and Cybersecurity Bill has been released for public comment by the Ministry of Justice and Constitutional development, proposing to introduce a number of measures to combat cybercrime in South Africa.

With the publication came the worrying but suspected statement that it was estimated that cyber-related offences are escalating considerably and “currently exceed a value in excess of R1bn annually.” The Minister stated that it was the department’s view that the development of the proposed legislation “was a milestone towards building safer communities as envisaged in the National Development Plan” and aimed at putting in place “a coherent and integrated cybersecurity legislative framework to address various shortcomings which exist in dealing with cybercrime” in South Africa.

Powers

The Bill proposes regulations to allow a national cyber entity, “to investigate, search and access, or seize, as well aspects of international cooperation in respect of the investigation of cybercrime.”

Power of Internet

Whilst the list seems long, the Bill indeed gives some idea of the levels to which cybercrime has now reached but it also indicates the many forms of crime have turned to the Internet as a vehicle for criminal activities, both locally and internationally.

In addition, South Africa’s President is being given powers to “enter into agreements with foreign states to promote cyber security.”

The government is to establish what exactly are “national critical information infrastructures” and will provide for the establishment of a “point of contact” and various structures to deal with cyber security. Wording later in the Bill indicates that this will be called the “National Cybercrime Centre”.

National Cybercrime Centre

Once again, the communications industry is called upon to assist and impose “obligations on electronic communications service providers with respect to cyber security.” This is the clause that is bound to cause offence, even rejection because of cost and which appears to ask providers to do the work and with stiff penalties of up to R10,000 a day for every day the matter is not reported to the National Cybercrime Centre.

The clause reads, “An electronic communications service provider that is aware or becomes aware that its computer network or electronic communications network is being used to commit an offence provided for in this Act must (a) immediately report the matter to the National Cybercrime Centre; and (b) preserve any information which may be of assistance to the law enforcement agencies in investigating the offence, including information which shows the communication’s origin, destination, route, time date, size, duration and the type of the underlying services.“

Who is responsible

Earlier this year, at a cybercrime symposium in Johannesburg, the Minister of State Security said, “The Government’s approach in dealing with this matter is premised on the policy principle that national security, which includes the security of the information and communications technologies in the country, is a responsibility of the structures responsible for security in the Republic.”

This statement, when re-read, can obviously work in many ways and the Bill appears to do just this.

Cybersecurity for SA to fight cybercrime….

A Green Paper for discussion on fighting cybercrime in South Africa is expected before the end of the year, Minister of State Security, David Mahlobo, said in his budget vote speech and a Bill setting up a Cybersecurity Agency by the end of next year will be enacted, developing upon the current ad hoc response to cybercrime events.

Experts in the industry are hoping that the Green Paper will recommend private/state partnerships.

Some time ago the African Union called on each of its member nations to develop a policy on cybersecurity but experts complain that South Africa has no a culture of cybersecurity and is falling behind on partnerships that would enable the country to defeat what the United States has named as one of the greatest threats to its own national security.

Fraud flooding SA

With hundred of incidents a day in South Africa affecting households, banking institutions and financial houses, let alone those which affect international security and crime and policing matters, Minister of State Security, David Mahlobo, has undertaken to finalise a South African National Cybersecurity Policy during the current financial year.

A National Cybersecurity Policy Framework was promised as far back as 2012 in response to a committee set up, tasked with monitoring the implementation of such a policy. South Africa already has an Electronic Communications Security Computer Security Incident Response Team but this is acknowledge as a “pro tem” arrangement.

Small team of experts

Minister Mahlobo announced that a Cybersecurity Bill would be drafted setting up a
“Cybersecurity Centre sphere” which would “enhance the work of this small team” and the body in terms of the new Bill would become a government agency reporting to his department.

He also announced that a Green Paper expanding on intelligence needs in this area would be tabled in Cabinet for approval during the third quarter of 2015/16. With broadband penetration becoming so pervasive in Africa, the 20% of Africa’s citizens now connected to the web are particularly vulnerable, it was noted.

The AU paper on cybersecurity generally describes four cyber-related components specified by the AU convention which should be invested in, namely a national, publicly available cybersecurity policy; cyber public-private partnerships in the national interests communicating with other countries; cybersecurity capacity building and training and a plan for developing a culture of cybersecurity countrywide.

Policy paper then Bill

As stated, the first component is that South Africa should undertake to develop, in collaboration with stakeholders, a national cybersecurity policy… and outline how the objectives of such a policy are to be achieved. At last this is being dealt with.

Local IT experts have called for the department to adopt measures and a plan to develop capacity building with a view to offering training on all areas of cybersecurity and a clear policy which sets standards for the private sector and developers.Other articles in this category or as backgroundLack of skills hampering broadband rollout – ParlyReportSA More state powers for ICASA proposed – ParlyReportSA SAPS still trying to computerise – ParlyReportSA

SARS role at border posts being clarified …. In adopting the Border Management Authority (BMA) Bill, Parliament’s Portfolio Committee on Home Affairs agreed with a wording that at all future one-stop border […]